Trickery is Not a Vulnerability – Replace By Fees

At Ledger, we continuously strive to enhance the security that our devices and software bring. In these efforts, we’ve improved Ledger Live’s UX to decrease the chance of becoming a victim of a specific type of scam attempt. We’d like to give you a transparent view on this. 

In Response to ZenGo’s Responsible Disclosure

We were contacted by ZenGo regarding some UX issues in Ledger Live concerning Replace By Fees through our bounty program, since it could open up some scamming possibilities. We want to reassure you that it’s not a vulnerability, but instead a clever piece of social engineering where a malicious actor would try to trick you. It cannot be used to get your 24-word recovery phrase or access your crypto in any way. Your funds are safe. That said, we took this very seriously and have improved Ledger Live’s UX in a way that helps to prevent anyone from falling victim to it. Let’s take a closer look into it.

Trickery through Replace By Fees

As mentioned before, this method concerns a clever piece of trickery. There’s an advanced feature for Bitcoin and its derivatives known as Replace By Fee (RBF). This allows you to cancel a transaction that got stuck due to having set very low fees and replace it with another one that has higher fees instead. This can only be done if this transaction is still unconfirmed (for the techies: if it’s still stuck in the Mempool). Indeed, Replace By Fee can be a very useful feature.

Ledger Live, the software that works with our hardware wallets, shows transactions in your operation history before these are actually confirmed. This can be quite handy to be able to spot incoming transactions quicker. The amount of this unconfirmed transaction is equally shown in your total balance. However, since this transaction isn’t confirmed yet, it could be undone through Replace By Fee. Also if there are any unconfirmed transactions, it would pose a problem when trying to use the “Send Max” feature for a new transaction. It would be trying to send Bitcoin that you don’t have, thus it gets rejected.

As such, a malicious actor could try to trick you with a payment. Someone could tell you they’ll pay you 1 BTC for some goods you are selling. For this example, let’s say that’s a golden watch. You’re seeing the 1 BTC transaction pop up in Ledger Live and it’s reflected in your balance. All must therefore be good, thus you decide to ship the golden watch. At this point, they could use Replace By Fees and cancel that unconfirmed transaction.

The Good News

Firstly, your crypto, recovery phrase, private keys, PIN code etc. are not at risk. No one can access your crypto without your consent. This method purely relies on trying to trick you, much like traditional crypto scams do. Another good news is that we never had reports of anyone being tricked by this method.

We have now updated Ledger Live to include UX enhancements to warn regarding unconfirmed transactions, since we don’t want anyone falling victim to these kinds of clever schemes. Users were already able to verify the status of incoming transactions since links to block explorers were available in Ledger Live. We decided to highlight unconfirmed transactions directly in Ledger Live to enhance the user-experience even further. 

We’ve implemented a message in Ledger Live to appear near your balance whenever you have any incoming unconfirmed transactions. This way, you’ll be informed whenever there’s a transaction waiting to be confirmed still. Aside from this UX enhancement, we also fine-tuned the UX relating to RBF-cancelled transactions. While creating a Bitcoin transaction, Ledger Live will now no longer let unconfirmed transactions be used for new transactions by default. This will ensure that you won’t be facing any difficulties with the “Send Max” feature – even if any pending incoming transactions are cancelled. This setting can be changed if desired.

There’s also a few tips we’d like to give that could help you to not fall for these kinds of treacherous tricks. Firstly, it’s important to make sure that any transaction is confirmed first. For another, simply not making a transaction to someone you don’t know you can trust will avoid any threat in this. It can be seen as somewhat similar to you selling something on Ebay: you’d always make sure that you have first received the counterparty’s payment on your bank account before sending anything. The crypto equivalent of this would be to make sure that the incoming transaction is first confirmed. 

We’d also like to take the opportunity to thank ZenGo for their work and for notifying us of the scamming potential. It’s thanks to reports like these combined with the great work of our Ledger Donjon team that we’re able to continuously enhance the already high level of security that Ledger provides.